Unencrypted traffic between pods when using Wireguard and an external kvstore

CVE-2024-25631 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @giorio94 and @gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [email protected]. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2024-02-20 23:45:16 UTC
Updated
2026-03-21 05:27:14 UTC
GitHub reviewed
2024-02-20 23:45:16 UTC
NVD published
2024-02-20

EPSS Score

Score Percentile
0.05% 15.51%

CVSS Scores

Base score Version Severity Vector
6.1 3.1
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-x989-52fc-4vr4 ↗
CVE CVE-2024-25631 ↗

CWEs

CWE id Name
CWE-311 Missing Encryption of Sensitive Data
CWE-319 Cleartext Transmission of Sensitive Information

Credits

  • gandro (remediation_reviewer)
  • giorio94 (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/cilium/cilium >= 1.14.0, < 1.14.7 1.14.7

References

cvelogic Threat Intelligence